IDefense has launched its latest Quarterly Vulnerability Challenge which offers researchers up to $8,000 for reporting a working vulnerability allowing for remote code execution.
An additional $2,000 to $4,000 is available if the researcher can also deliver a working exploit.
IDefense has issued strict rules for the contest. No more than six vulnerabilities will be accepted, all of which must be present in the most recent versions of the software. Any exploit code must not contain any kind of malicious payload.
Flaws that allow for remote execution are among the most serious threats to users. Such outbreaks earn the highest alert levels from security monitoring sites, and are often referred to as 'critical' vulnerabilities.
Microsoft said that, although the company has a policy of not paying for vulnerability disclosures, it does not expressly support or oppose the iDefense programme.
"Microsoft does not oppose programmes that work through the established processes for responsible disclosure, and do not put customers at risk," a company spokesman said